Detecting attacks using handshake requests systems and methods

ABSTRACT

Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

BACKGROUND

In many server deployments, users transmit sensitive or encrypted dataover a network to a server. The transmission can be maliciously orfraudulently repeated or delayed in the form of a replay attack. Forexample, two or more identical copies of a request may be processed ifthe requests arrive at different servers. Thus, in many serverdeployments, it can become increasingly difficult to determine whichclient requests have been seen before. Many server protocols may notprovide sufficient protection against a network attacker who makes acopy of the client request and replays it to the server at a later time.

SUMMARY

Systems and methods for detecting attacks using a handshake request isprovided herein. A group or plurality of devices, such as but notlimited to transport layer security (TLS) servers, can detect andprevent replay attacks mounted against a plurality of servers (e.g.,application servers) in a network. In embodiments, the plurality ofdevices can be disposed in a network between a plurality of clientdevices and a plurality of application servers. The devices can maintaina registry containing a record of requests received at one or more ofthe plurality of devices. The requests can correspond to handshakerequests that include an application request, a TLS connection requestor both an application request and a TLS connection request. Thus, thedevices can process requests for an application and a TLS connection ata same time. In some embodiments, the devices can maintain the registryin a distributed manner across multiple devices such that each of thedevices maintain a share or portion of the registry. The differentportions or registry subsets can be similar or substantially similar insize.

The plurality of devices can share ownership of recording andmaintaining records of received requests. For example, the devices cancommunicate with each other to determine which device in the pluralityof devices is or will be the responsible owner device for recording arequest when the respective request is received. The device receivingthe request can identify the owner device and query the owner device todetermine whether or not the request has been seen before. Thus, theplurality of devices can detect and prevent attacks by querying aregistry or registry subsets maintained at each of the different devicesto determine if a new request has been previously recorded in theregistry prior to processing or accepting the new request.

The systems and methods described herein can provide protection againstreplay attacks even when replay attacks are mounted against disparatecores in a multi-core system or disparate systems in a multi-systemdeployment (cluster). Each of the devices can be configured to actindependently, yet the coordination of independent devices using thesystems and methods provides comprehensive replay detection. Forexample, the devices can communicate with each other throughnode-to-node messaging or core-to-core messaging to identify anddetermine if a request has been previously received and recorded. Thus,the systems and methods described herein can be scaled to a larger groupof devices as each device in the plurality of devices shares a portionor subset of a registry. The devices can execute the same mappingfunction such that a request can arrive at or be received by any of thedevices and each device can agree on which device is or will be theowner device to record the respective request in a registry subsetmaintained at the respective owner device.

In a first aspect, a method for detecting attacks using a handshakerequest having an application request is provided. The method caninclude receiving, by a plurality of devices, a plurality of handshakerequests to establish a respective transport layer security (TLS)connection that include a respective application request. At least oneof the plurality of handshake requests can include a first applicationrequest. The method can include recording, by the plurality of devices,each of the respective application requests to a registry of applicationrequests. The method can include receiving, by a first device of theplurality of devices, a subsequent handshake request to establish asubsequent TLS connection that includes the first application request.The method can include querying, by the first device prior to acceptingthe first application request, the registry for the first applicationrequest. The method can include determining, by the first device, toreject the first application request responsive to identifying from thequery that the first application request has been recorded in theregistry.

In some embodiments, the method can include dropping the applicationrequest by the first device responsive to the determination butaccepting a TLS connection request included in the subsequent handshakerequest. The method can include establishing the respective TLSconnection of each of the plurality of handshakes requests by one ormore of the plurality of devices. The plurality of devices can beintermediary to a plurality of clients and a plurality of servers.

The method can include selecting, using a mapping function, for each ofthe plurality of handshake requests a device from the plurality ofdevices for storing the respective application request to the registry.Each of the plurality of devices can store a portion of the registry. Insome embodiments, the method can include determining, by the firstdevice, which of the plurality of devices is to store the firstapplication request in the registry. The method can include maintainingthe recordation of the first application request in the registry untilan expiration period.

In some embodiments, the method can include receiving, by a seconddevice of the plurality of devices, a second subsequent handshakerequest to establish a second subsequent TLS connection that includes asecond application request and querying, by the second device prior toaccepting the second application request, the registry for the secondapplication request. The method can include determining, by the seconddevice, to accept the second application request responsive toidentifying from the query that the second application request has notbeen recorded in the registry, and accepting a TLS connection requestincluded in the second subsequent handshake request.

In another aspect, a system for detecting attacks using a handshakerequest having an application request is provided. The system caninclude a plurality of devices configured to receive a plurality ofhandshake requests to establish a respective transport layer security(TLS) connection that include a respective application request. At leastone of the plurality of handshake requests can include a firstapplication request. One or more of the plurality of devices can beconfigured to record each of the respective application requests to aregistry of application requests. A first device of the plurality ofdevices can be configured to receive a subsequent handshake request toestablish a subsequent TLS connection that includes the firstapplication request. The first device can query prior to accepting thefirst application request, the registry for the first applicationrequest. The first device can determine to reject the first applicationrequest responsive to identifying from the query that the firstapplication request has been recorded in the registry.

In some embodiments, the first device can drop the first applicationrequest responsive to the determination but accept a TLS connectionrequest included in the subsequent handshake request. The respective TLSconnection of each of the plurality of handshakes can be established byone or more of the plurality of devices. The plurality of devices can beintermediary to a plurality of clients and a plurality of servers.

In some embodiments, a device from the plurality of devices can beselected, using a mapping function, for storing to the registry therespective application request for each of the plurality of handshakerequests. Each of the plurality of devices stores a portion of theregistry. The first device can be further configured to determine whichof the plurality of devices is to store the first application request inthe registry. The recordation of the first application request can bemaintained in the registry until an expiration period.

In some embodiments, a second device of the plurality of devices can beconfigured to receive a second handshake request to establish a secondsubsequent TLS connection that includes a second application request andquery, prior to accepting the second application request, the registryfor the second application request. The second device can be furtherconfigured to accept the second application request responsive toidentifying from the query that the second application request has notbeen recorded in the registry, and accept a TLS connection requestincluded in the second subsequent handshake request.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Objects, aspects, features, and advantages of embodiments disclosedherein will become more fully apparent from the following detaileddescription, the appended claims, and the accompanying drawing figuresin which like reference numerals identify similar or identical elements.Reference numerals that are introduced in the specification inassociation with a drawing figure may be repeated in one or moresubsequent figures without additional description in the specificationin order to provide context for other features, and not every elementmay be labeled in every figure. The drawing figures are not necessarilyto scale, emphasis instead being placed upon illustrating embodiments,principles and concepts. The drawings are not intended to limit thescope of the claims included herewith.

FIG. 1A is a block diagram of a network computing system, in accordancewith an illustrative embodiment;

FIG. 1B is a block diagram of a network computing system for deliveringa computing environment from a server to a client via an appliance, inaccordance with an illustrative embodiment;

FIG. 1C is a block diagram of a computing device, in accordance with anillustrative embodiment;

FIG. 2 is a block diagram of an appliance for processing communicationsbetween a client and a server, in accordance with an illustrativeembodiment;

FIG. 3 is a block diagram of a virtualization environment, in accordancewith an illustrative embodiment;

FIG. 4 is a block diagram of a cluster system, in accordance with anillustrative embodiment;

FIG. 5 is a block diagram of a system for detecting attacks using ahandshake request having an application request; and

FIGS. 6A-6B are a flow diagram of a method for detecting attacks using ahandshake request having an application request.

DETAILED DESCRIPTION

For purposes of reading the description of the various embodimentsbelow, the following descriptions of the sections of the specificationand their respective contents may be helpful:

Section A describes a network environment and computing environmentwhich may be useful for practicing embodiments described herein; and

Section B describes embodiments of systems and methods for detectingattacks using a handshake request having an application request.

A. Network and Computing Environment

Referring to FIG. 1A, an illustrative network environment 100 isdepicted. Network environment 100 may include one or more clients102(1)-102(n) (also generally referred to as local machine(s) 102 orclient(s) 102) in communication with one or more servers 106(1)-106(n)(also generally referred to as remote machine(s) 106 or server(s) 106)via one or more networks 104(1)-104 n (generally referred to asnetwork(s) 104). In some embodiments, a client 102 may communicate witha server 106 via one or more appliances 200(1)-200 n (generally referredto as appliance(s) 200 or gateway(s) 200).

Although the embodiment shown in FIG. 1A shows one or more networks 104between clients 102 and servers 106, in other embodiments, clients 102and servers 106 may be on the same network 104. The various networks 104may be the same type of network or different types of networks. Forexample, in some embodiments, network 104(1) may be a private networksuch as a local area network (LAN) or a company Intranet, while network104(2) and/or network 104(n) may be a public network, such as a widearea network (WAN) or the Internet. In other embodiments, both network104(1) and network 104(n) may be private networks. Networks 104 mayemploy one or more types of physical networks and/or network topologies,such as wired and/or wireless networks, and may employ one or morecommunication transport protocols, such as transmission control protocol(TCP), internet protocol (IP), user datagram protocol (UDP) or othersimilar protocols.

As shown in FIG. 1A, one or more appliances 200 may be located atvarious points or in various communication paths of network environment100. For example, appliance 200 may be deployed between two networks104(1) and 104(2), and appliances 200 may communicate with one anotherto work in conjunction to, for example, accelerate network trafficbetween clients 102 and servers 106. In other embodiments, the appliance200 may be located on a network 104. For example, appliance 200 may beimplemented as part of one of clients 102 and/or servers 106. In anembodiment, appliance 200 may be implemented as a network device such asNetScaler® products sold by Citrix Systems, Inc. of Fort Lauderdale,Fla.

As shown in FIG. 1A, one or more servers 106 may operate as a serverfarm 38. Servers 106 of server farm 38 may be logically grouped, and mayeither be geographically co-located (e.g., on premises) orgeographically dispersed (e.g., cloud based) from clients 102 and/orother servers 106. In an embodiment, server farm 38 executes one or moreapplications on behalf of one or more of clients 102 (e.g., as anapplication server), although other uses are possible, such as a fileserver, gateway server, proxy server, or other similar server uses.Clients 102 may seek access to hosted applications on servers 106.

As shown in FIG. 1A, in some embodiments, appliances 200 may include, bereplaced by, or be in communication with, one or more additionalappliances, such as WAN optimization appliances 205(1)-205(n), referredto generally as WAN optimization appliance(s) 205. For example, WANoptimization appliance 205 may accelerate, cache, compress or otherwiseoptimize or improve performance, operation, flow control, or quality ofservice of network traffic, such as traffic to and/or from a WANconnection, such as optimizing Wide Area File Services (WAFS),accelerating Server Message Block (SMB) or Common Internet File System(CIFS). In some embodiments, appliance 205 may be a performanceenhancing proxy or a WAN optimization controller. In one embodiment,appliance 205 may be implemented as CloudBridge® products sold by CitrixSystems, Inc. of Fort Lauderdale, Fla.

Referring to FIG. 1B, an example network environment, 100′, fordelivering and/or operating a computing network environment on a client102 is shown. As shown in FIG. 1B, a server 106 may include anapplication delivery system 190 for delivering a computing environment,application, and/or data files to one or more clients 102. Client 102may include client agent 50 and computing environment 15. Computingenvironment 15 may execute or operate an application, 16, that accesses,processes or uses a data file 17. Computing environment 15, application16 and/or data file 17 may be delivered via appliance 200 and/or theserver 106.

Appliance 200 may accelerate delivery of all or a portion of computingenvironment 15 to a client 102, for example by the application deliverysystem 190. For example, appliance 200 may accelerate delivery of astreaming application and data file processable by the application froma data center to a remote user location by accelerating transport layertraffic between a client 102 and a server 106. Such acceleration may beprovided by one or more techniques, such as: 1) transport layerconnection pooling, 2) transport layer connection multiplexing, 3)transport control protocol buffering, 4) compression, 5) caching, orother techniques. Appliance 200 may also provide load balancing ofservers 106 to process requests from clients 102, act as a proxy oraccess server to provide access to the one or more servers 106, providesecurity and/or act as a firewall between a client 102 and a server 106,provide Domain Name Service (DNS) resolution, provide one or morevirtual servers or virtual internet protocol servers, and/or provide asecure virtual private network (VPN) connection from a client 102 to aserver 106, such as a secure socket layer (SSL) VPN connection and/orprovide encryption and decryption operations.

Application delivery management system 190 may deliver computingenvironment 15 to a user (e.g., client 102), remote or otherwise, basedon authentication and authorization policies applied by policy engine195. A remote user may obtain a computing environment and access toserver stored applications and data files from any network-connecteddevice (e.g., client 102). For example, appliance 200 may request anapplication and data file from server 106. In response to the request,application delivery system 190 and/or server 106 may deliver theapplication and data file to client 102, for example via an applicationstream to operate in computing environment 15 on client 102, or via aremote-display protocol or otherwise via remote-based or server-basedcomputing. In an embodiment, application delivery system 190 may beimplemented as any portion of the Citrix Workspace Suite™ by CitrixSystems, Inc., such as XenApp® or XenDesktop®.

Policy engine 195 may control and manage the access to, and executionand delivery of, applications. For example, policy engine 195 maydetermine the one or more applications a user or client 102 may accessand/or how the application should be delivered to the user or client102, such as a server-based computing, streaming or delivering theapplication locally to the client 50 for local execution.

For example, in operation, a client 102 may request execution of anapplication (e.g., application 16′) and application delivery system 190of server 106 determines how to execute application 16′, for examplebased upon credentials received from client 102 and a user policyapplied by policy engine 195 associated with the credentials. Forexample, application delivery system 190 may enable client 102 toreceive application-output data generated by execution of theapplication on a server 106, may enable client 102 to execute theapplication locally after receiving the application from server 106, ormay stream the application via network 104 to client 102. For example,in some embodiments, the application may be a server-based or aremote-based application executed on server 106 on behalf of client 102.Server 106 may display output to client 102 using a thin-client orremote-display protocol, such as the Independent Computing Architecture(ICA) protocol by Citrix Systems, Inc. of Fort Lauderdale, Fla. Theapplication may be any application related to real-time datacommunications, such as applications for streaming graphics, streamingvideo and/or audio or other data, delivery of remote desktops orworkspaces or hosted services or applications, for exampleinfrastructure as a service (IaaS), workspace as a service (WaaS),software as a service (SaaS) or platform as a service (PaaS).

One or more of servers 106 may include a performance monitoring serviceor agent 197. In some embodiments, a dedicated one or more servers 106may be employed to perform performance monitoring. Performancemonitoring may be performed using data collection, aggregation,analysis, management and reporting, for example by software, hardware ora combination thereof. Performance monitoring may include one or moreagents for performing monitoring, measurement and data collectionactivities on clients 102 (e.g., client agent 50), servers 106 (e.g.,agent 197) or an appliance 200 and/or 205 (agent not shown). In general,monitoring agents (e.g., 50 and/or 197) execute transparently (e.g., inthe background) to any application and/or user of the device. In someembodiments, monitoring agent 197 includes any of the productembodiments referred to as EdgeSight by Citrix Systems, Inc. of FortLauderdale, Fla.

The monitoring agents may monitor, measure, collect, and/or analyze dataon a predetermined frequency, based upon an occurrence of givenevent(s), or in real time during operation of network environment 100.The monitoring agents may monitor resource consumption and/orperformance of hardware, software, and/or communications resources ofclients 102, networks 104, appliances 200 and/or 205, and/or servers106. For example, network connections such as a transport layerconnection, network latency, bandwidth utilization, end-user responsetimes, application usage and performance, session connections to anapplication, cache usage, memory usage, processor usage, storage usage,database transactions, client and/or server utilization, active users,duration of user activity, application crashes, errors, or hangs, thetime required to log-in to an application, a server, or the applicationdelivery system, and/or other performance conditions and metrics may bemonitored.

The monitoring agents may provide application performance management forapplication delivery system 190. For example, based upon one or moremonitored performance conditions or metrics, application delivery system190 may be dynamically adjusted, for example periodically or inreal-time, to optimize application delivery by servers 106 to clients102 based upon network environment performance and conditions.

In described embodiments, clients 102, servers 106, and appliances 200and 205 may be deployed as and/or executed on any type and form ofcomputing device, such as any desktop computer, laptop computer, ormobile device capable of communication over at least one network andperforming the operations described herein. For example, clients 102,servers 106 and/or appliances 200 and 205 may each correspond to onecomputer, a plurality of computers, or a network of distributedcomputers such as computer 101 shown in FIG. 1C.

As shown in FIG. 1C, computer 101 may include one or more processors103, volatile memory 52 (e.g., RAM), non-volatile memory 58 (e.g., oneor more hard disk drives (HDDs) or other magnetic or optical storagemedia, one or more solid state drives (SSDs) such as a flash drive orother solid state storage media, one or more hybrid magnetic and solidstate drives, and/or one or more virtual storage volumes, such as acloud storage, or a combination of such physical storage volumes andvirtual storage volumes or arrays thereof), user interface (UI) 53, oneor more communications interfaces 118, and communication bus 150. Userinterface 53 may include graphical user interface (GUI) 54 (e.g., atouchscreen, a display, etc.) and one or more input/output (I/O) devices56 (e.g., a mouse, a keyboard, etc.). Non-volatile memory 58 storesoperating system 115, one or more applications 116, and data 117 suchthat, for example, computer instructions of operating system 115 and/orapplications 116 are executed by processor(s) 103 out of volatile memory52. Data may be entered using an input device of GUI 54 or received fromI/O device(s) 56. Various elements of computer 101 may communicate viacommunication bus 150. Computer 101 as shown in FIG. 1C is shown merelyas an example, as clients 102, servers 106 and/or appliances 200 and 205may be implemented by any computing or processing environment and withany type of machine or set of machines that may have suitable hardwareand/or software capable of operating as described herein.

Processor(s) 103 may be implemented by one or more programmableprocessors executing one or more computer programs to perform thefunctions of the system. As used herein, the term “processor” describesan electronic circuit that performs a function, an operation, or asequence of operations. The function, operation, or sequence ofoperations may be hard coded into the electronic circuit or soft codedby way of instructions held in a memory device. A “processor” mayperform the function, operation, or sequence of operations using digitalvalues or using analog signals. In some embodiments, the “processor” canbe embodied in one or more application specific integrated circuits(ASICs), microprocessors, digital signal processors, microcontrollers,field programmable gate arrays (FPGAs), programmable logic arrays(PLAs), multi-core processors, or general-purpose computers withassociated memory. The “processor” may be analog, digital ormixed-signal. In some embodiments, the “processor” may be one or morephysical processors or one or more “virtual” (e.g., remotely located or“cloud”) processors.

Communications interfaces 118 may include one or more interfaces toenable computer 101 to access a computer network such as a LAN, a WAN,or the Internet through a variety of wired and/or wireless or cellularconnections.

In described embodiments, a first computing device 101 may execute anapplication on behalf of a user of a client computing device (e.g., aclient 102), may execute a virtual machine, which provides an executionsession within which applications execute on behalf of a user or aclient computing device (e.g., a client 102), such as a hosted desktopsession, may execute a terminal services session to provide a hosteddesktop environment, or may provide access to a computing environmentincluding one or more of: one or more applications, one or more desktopapplications, and one or more desktop sessions in which one or moreapplications may execute.

Additional details of the implementation and operation of networkenvironment 100, clients 102, servers 106, and appliances 200 and 205may be as described in U.S. Pat. No. 9,538,345, issued Jan. 3, 2017 toCitrix Systems, Inc. of Fort Lauderdale, Fla., the teachings of whichare hereby incorporated herein by reference.

FIG. 2 shows an example embodiment of appliance 200. As describedherein, appliance 200 may be implemented as a server, gateway, router,switch, bridge or other type of computing or network device. As shown inFIG. 2, an embodiment of appliance 200 may include a hardware layer 206and a software layer 205 divided into a user space 202 and a kernelspace 204. Hardware layer 206 provides the hardware elements upon whichprograms and services within kernel space 204 and user space 202 areexecuted and allow programs and services within kernel space 204 anduser space 202 to communicate data both internally and externally withrespect to appliance 200. As shown in FIG. 2, hardware layer 206 mayinclude one or more processing units 262 for executing software programsand services, memory 264 for storing software and data, network ports266 for transmitting and receiving data over a network, and encryptionprocessor 260 for encrypting and decrypting data such as in relation toSecure Socket Layer (SSL) or Transport Layer Security (TLS) processingof data transmitted and received over the network.

An operating system of appliance 200 allocates, manages, or otherwisesegregates the available system memory into kernel space 204 and userspace 202. Kernel space 204 is reserved for running kernel 230,including any device drivers, kernel extensions or other kernel relatedsoftware. As known to those skilled in the art, kernel 230 is the coreof the operating system, and provides access, control, and management ofresources and hardware-related elements of application 104. Kernel space204 may also include a number of network services or processes workingin conjunction with cache manager 232.

Appliance 200 may include one or more network stacks 267, such as aTCP/IP based stack, for communicating with client(s) 102, server(s) 106,network(s) 104, and/or other appliances 200 or 205. For example,appliance 200 may establish and/or terminate one or more transport layerconnections between clients 102 and servers 106. Each network stack 267may include a buffer for queuing one or more network packets fortransmission by appliance 200.

Kernel space 204 may include cache manager 232, packet engine 240,encryption engine 234, policy engine 236 and compression engine 238. Inother words, one or more of processes 232, 240, 234, 236 and 238 runs inthe core address space of the operating system of appliance 200, whichmay reduce the number of data transactions to and from the memory and/orcontext switches between kernel mode and user mode, for example sincedata obtained in kernel mode may not need to be passed or copied to auser process, thread or user level data structure.

Cache manager 232 may duplicate original data stored elsewhere or datapreviously computed, generated or transmitted to reducing the accesstime of the data. In some embodiments, the cache memory may be a dataobject in memory 264 of appliance 200, or may be a physical memoryhaving a faster access time than memory 264.

Policy engine 236 may include a statistical engine or otherconfiguration mechanism to allow a user to identify, specify, define orconfigure a caching policy and access, control and management ofobjects, data or content being cached by appliance 200, and define orconfigure security, network traffic, network access, compression orother functions performed by appliance 200.

Encryption engine 234 may process any security related protocol, such asSSL or TLS. For example, encryption engine 234 may encrypt and decryptnetwork packets, or any portion thereof, communicated via appliance 200,may setup or establish SSL, TLS or other secure connections, for examplebetween client 102, server 106, and/or other appliances 200 or 205. Insome embodiments, encryption engine 234 may use a tunneling protocol toprovide a VPN between a client 102 and a server 106. In someembodiments, encryption engine 234 is in communication with encryptionprocessor 260. Compression engine 238 compresses network packetsbi-directionally between clients 102 and servers 106 and/or between oneor more appliances 200.

Packet engine 240 may manage kernel-level processing of packets receivedand transmitted by appliance 200 via network stacks 267 to send andreceive network packets via network ports 266. Packet engine 240 mayoperate in conjunction with encryption engine 234, cache manager 232,policy engine 236 and compression engine 238, for example to performencryption/decryption, traffic management such as request-level contentswitching and request-level cache redirection, and compression anddecompression of data.

User space 202 is a memory area or portion of the operating system usedby user mode applications or programs otherwise running in user mode. Auser mode application may not access kernel space 204 directly and usesservice calls in order to access kernel services. User space 202 mayinclude graphical user interface (GUI) 210, a command line interface(CLI) 212, shell services 214, health monitor 216, and daemon services218. GUI 210 and CLI 212 enable a system administrator or other user tointeract with and control the operation of appliance 200, such as viathe operating system of appliance 200. Shell services 214 include theprograms, services, tasks, processes or executable instructions tosupport interaction with appliance 200 by a user via the GUI 210 and/orCLI 212.

Health monitor 216 monitors, checks, reports and ensures that networksystems are functioning properly and that users are receiving requestedcontent over a network, for example by monitoring activity of appliance200. In some embodiments, health monitor 216 intercepts and inspects anynetwork traffic passed via appliance 200. For example, health monitor216 may interface with one or more of encryption engine 234, cachemanager 232, policy engine 236, compression engine 238, packet engine240, daemon services 218, and shell services 214 to determine a state,status, operating condition, or health of any portion of the appliance200. Further, health monitor 216 may determine whether a program,process, service or task is active and currently running, check status,error or history logs provided by any program, process, service or taskto determine any condition, status or error with any portion ofappliance 200. Additionally, health monitor 216 may measure and monitorthe performance of any application, program, process, service, task orthread executing on appliance 200.

Daemon services 218 are programs that run continuously or in thebackground and handle periodic service requests received by appliance200. In some embodiments, a daemon service may forward the requests toother programs or processes, such as another daemon service 218 asappropriate.

As described herein, appliance 200 may relieve servers 106 of much ofthe processing load caused by repeatedly opening and closing transportlayers connections to clients 102 by opening one or more transport layerconnections with each server 106 and maintaining these connections toallow repeated data accesses by clients via the Internet (e.g.,“connection pooling”). To perform connection pooling, appliance 200 maytranslate or multiplex communications by modifying sequence numbers andacknowledgment numbers at the transport layer protocol level (e.g.,“connection multiplexing”). Appliance 200 may also provide switching orload balancing for communications between the client 102 and server 106.

As described herein, each client 102 may include client agent 50 forestablishing and exchanging communications with appliance 200 and/orserver 106 via a network 104. Client 102 may have installed and/orexecute one or more applications that are in communication with network104. Client agent 50 may intercept network communications from a networkstack used by the one or more applications. For example, client agent 50may intercept a network communication at any point in a network stackand redirect the network communication to a destination desired, managedor controlled by client agent 50, for example to intercept and redirecta transport layer connection to an IP address and port controlled ormanaged by client agent 50. Thus, client agent 50 may transparentlyintercept any protocol layer below the transport layer, such as thenetwork layer, and any protocol layer above the transport layer, such asthe session, presentation or application layers. Client agent 50 caninterface with the transport layer to secure, optimize, accelerate,route or load-balance any communications provided via any protocolcarried by the transport layer.

In some embodiments, client agent 50 is implemented as an IndependentComputing Architecture (ICA) client developed by Citrix Systems, Inc. ofFort Lauderdale, Fla. Client agent 50 may perform acceleration,streaming, monitoring, and/or other operations. For example, clientagent 50 may accelerate streaming an application from a server 106 to aclient 102. Client agent 50 may also perform end-pointdetection/scanning and collect end-point information about client 102for appliance 200 and/or server 106. Appliance 200 and/or server 106 mayuse the collected information to determine and provide access,authentication and authorization control of the client's connection tonetwork 104. For example, client agent 50 may identify and determine oneor more client-side attributes, such as: the operating system and/or aversion of an operating system, a service pack of the operating system,a running service, a running process, a file, presence or versions ofvarious applications of the client, such as antivirus, firewall,security, and/or other software.

Additional details of the implementation and operation of appliance 200may be as described in U.S. Pat. No. 9,538,345, issued Jan. 3, 2017 toCitrix Systems, Inc. of Fort Lauderdale, Fla., the teachings of whichare hereby incorporated herein by reference.

Referring now to FIG. 3, a block diagram of a virtualized environment300 is shown. As shown, a computing device 302 in virtualizedenvironment 300 includes a virtualization layer 303, a hypervisor layer304, and a hardware layer 307. Hypervisor layer 304 includes one or morehypervisors (or virtualization managers) 301 that allocates and managesaccess to a number of physical resources in hardware layer 307 (e.g.,physical processor(s) 321 and physical disk(s) 328) by at least onevirtual machine (VM) (e.g., one of VMs 306) executing in virtualizationlayer 303. Each VM 306 may include allocated virtual resources such asvirtual processors 332 and/or virtual disks 342, as well as virtualresources such as virtual memory and virtual network interfaces. In someembodiments, at least one of VMs 306 may include a control operatingsystem (e.g., 305) in communication with hypervisor 301 and used toexecute applications for managing and configuring other VMs (e.g., guestoperating systems 310) on device 302.

In general, hypervisor(s) 301 may provide virtual resources to anoperating system of VMs 306 in any manner that simulates the operatingsystem having access to a physical device. Thus, hypervisor(s) 301 maybe used to emulate virtual hardware, partition physical hardware,virtualize physical hardware, and execute virtual machines that provideaccess to computing environments. In an illustrative embodiment,hypervisor(s) 301 may be implemented as a XEN hypervisor, for example asprovided by the open source Xen.org community. In an illustrativeembodiment, device 302 executing a hypervisor that creates a virtualmachine platform on which guest operating systems may execute isreferred to as a host server. In such an embodiment, device 302 may beimplemented as a XEN server as provided by Citrix Systems, Inc., of FortLauderdale, Fla.

Hypervisor 301 may create one or more VMs 306 in which an operatingsystem (e.g., control operating system 305 and/or guest operating system310) executes. For example, the hypervisor 301 loads a virtual machineimage to create VMs 306 to execute an operating system. Hypervisor 301may present VMs 306 with an abstraction of hardware layer 307, and/ormay control how physical capabilities of hardware layer 307 arepresented to VMs 306. For example, hypervisor(s) 301 may manage a poolof resources distributed across multiple physical computing devices.

In some embodiments, one of VMs 306 (e.g., the VM executing controloperating system 305) may manage and configure other of VMs 306, forexample by managing the execution and/or termination of a VM and/ormanaging allocation of virtual resources to a VM. In variousembodiments, VMs may communicate with hypervisor(s) 301 and/or other VMsvia, for example, one or more Application Programming Interfaces (APIs),shared memory, and/or other techniques.

In general, VMs 306 may provide a user of device 302 with access toresources within virtualized computing environment 300, for example, oneor more programs, applications, documents, files, desktop and/orcomputing environments, or other resources. In some embodiments, VMs 306may be implemented as fully virtualized VMs that are not aware that theyare virtual machines (e.g., a Hardware Virtual Machine or HVM). In otherembodiments, the VM may be aware that it is a virtual machine, and/orthe VM may be implemented as a paravirtualized (PV) VM.

Although shown in FIG. 3 as including a single virtualized device 302,virtualized environment 300 may include a plurality of networked devicesin a system in which at least one physical host executes a virtualmachine. A device on which a VM executes may be referred to as aphysical host and/or a host machine. For example, appliance 200 may beadditionally or alternatively implemented in a virtualized environment300 on any computing device, such as a client 102, server 106 orappliance 200. Virtual appliances may provide functionality foravailability, performance, health monitoring, caching and compression,connection multiplexing and pooling and/or security processing (e.g.,firewall, VPN, encryption/decryption, etc.), similarly as described inregard to appliance 200.

Additional details of the implementation and operation of virtualizedcomputing environment 300 may be as described in U.S. Pat. No.9,538,345, issued Jan. 3, 2017 to Citrix Systems, Inc. of FortLauderdale, Fla., the teachings of which are hereby incorporated hereinby reference.

In some embodiments, a server may execute multiple virtual machines 306,for example on various cores of a multi-core processing system and/orvarious processors of a multiple processor device. For example, althoughgenerally shown herein as “processors” (e.g., in FIGS. 1C, 2 and 3), oneor more of the processors may be implemented as either single- ormulti-core processors to provide a multi-threaded, parallel architectureand/or multi-core architecture. Each processor and/or core may have oruse memory that is allocated or assigned for private or local use thatis only accessible by that processor/core, and/or may have or use memorythat is public or shared and accessible by multiple processors/cores.Such architectures may allow work, task, load or network trafficdistribution across one or more processors and/or one or more cores(e.g., by functional parallelism, data parallelism, flow-based dataparallelism, etc.).

Further, instead of (or in addition to) the functionality of the coresbeing implemented in the form of a physical processor/core, suchfunctionality may be implemented in a virtualized environment (e.g.,300) on a client 102, server 106 or appliance 200, such that thefunctionality may be implemented across multiple devices, such as acluster of computing devices, a server farm or network of computingdevices, etc. The various processors/cores may interface or communicatewith each other using a variety of interface techniques, such as core tocore messaging, shared memory, kernel APIs, etc.

In embodiments employing multiple processors and/or multiple processorcores, described embodiments may distribute data packets among cores orprocessors, for example to balance the flows across the cores. Forexample, packet distribution may be based upon determinations offunctions performed by each core, source and destination addresses,and/or whether: a load on the associated core is above a predeterminedthreshold; the load on the associated core is below a predeterminedthreshold; the load on the associated core is less than the load on theother cores; or any other metric that can be used to determine where toforward data packets based in part on the amount of load on a processor.

For example, data packets may be distributed among cores or processesusing receive-side scaling (RSS) in order to process packets usingmultiple processors/cores in a network. RSS generally allows packetprocessing to be balanced across multiple processors/cores whilemaintaining in-order delivery of the packets. In some embodiments, RSSmay use a hashing scheme to determine a core or processor for processinga packet.

The RSS may generate hashes from any type and form of input, such as asequence of values. This sequence of values can include any portion ofthe network packet, such as any header, field or payload of networkpacket, and include any tuples of information associated with a networkpacket or data flow, such as addresses and ports. The hash result or anyportion thereof may be used to identify a processor, core, engine, etc.,for distributing a network packet, for example via a hash table,indirection table, or other mapping technique.

Additional details of the implementation and operation of amulti-processor and/or multi-core system may be as described in U.S.Pat. No. 9,538,345, issued Jan. 3, 2017 to Citrix Systems, Inc. of FortLauderdale, Fla., the teachings of which are hereby incorporated hereinby reference.

Although shown in FIGS. 1A and 1B as being single appliances, appliances200 may be implemented as one or more distributed or clusteredappliances. Individual computing devices or appliances may be referredto as nodes of the cluster. A centralized management system may performload balancing, distribution, configuration, or other tasks to allow thenodes to operate in conjunction as a single computing system. Such acluster may be viewed as a single virtual appliance or computing device.FIG. 4 shows a block diagram of an illustrative computing device clusteror appliance cluster 400. A plurality of appliances 200 or othercomputing devices (e.g., nodes) may be joined into a single cluster 400.Cluster 400 may operate as an application server, network storageserver, backup service, or any other type of computing device to performmany of the functions of appliances 200 and/or 205.

In some embodiments, each appliance 200 of cluster 400 may beimplemented as a multi-processor and/or multi-core appliance, asdescribed herein. Such embodiments may employ a two-tier distributionsystem, with one appliance if the cluster distributing packets to nodesof the cluster, and each node distributing packets for processing toprocessors/cores of the node. In many embodiments, one or more ofappliances 200 of cluster 400 may be physically grouped orgeographically proximate to one another, such as a group of bladeservers or rack mount devices in a given chassis, rack, and/or datacenter. In some embodiments, one or more of appliances 200 of cluster400 may be geographically distributed, with appliances 200 notphysically or geographically co-located. In such embodiments,geographically remote appliances may be joined by a dedicated networkconnection and/or VPN. In geographically distributed embodiments, loadbalancing may also account for communications latency betweengeographically remote appliances.

In some embodiments, cluster 400 may be considered a virtual appliance,grouped via common configuration, management, and purpose, rather thanas a physical group. For example, an appliance cluster may comprise aplurality of virtual machines or processes executed by one or moreservers.

As shown in FIG. 4, appliance cluster 400 may be coupled to a firstnetwork 104(1) via client data plane 402, for example to transfer databetween clients 102 and appliance cluster 400. Client data plane 402 maybe implemented a switch, hub, router, or other similar network deviceinternal or external to cluster 400 to distribute traffic across thenodes of cluster 400. For example, traffic distribution may be performedbased on equal-cost multi-path (ECMP) routing with next hops configuredwith appliances or nodes of the cluster, open-shortest path first(OSPF), stateless hash-based traffic distribution, link aggregation(LAG) protocols, or any other type and form of flow distribution, loadbalancing, and routing.

Appliance cluster 400 may be coupled to a second network 104(2) viaserver data plane 404. Similarly, to client data plane 402, server dataplane 404 may be implemented as a switch, hub, router, or other networkdevice that may be internal or external to cluster 400. In someembodiments, client data plane 402 and server data plane 404 may bemerged or combined into a single device.

In some embodiments, each appliance 200 of cluster 400 may be connectedvia an internal communication network or back plane 406. Back plane 406may enable inter-node or inter-appliance control and configurationmessages, for inter-node forwarding of traffic, and/or for communicatingconfiguration and control traffic from an administrator or user tocluster 400. In some embodiments, back plane 406 may be a physicalnetwork, a VPN or tunnel, or a combination thereof.

Additional details of cluster 400 may be as described in U.S. Pat. No.9,538,345, issued Jan. 3, 2017 to Citrix Systems, Inc. of FortLauderdale, Fla., the teachings of which are hereby incorporated hereinby reference.

B. Detecting Attacks using Handshake Requests

The systems and methods described herein can detect attacks, such as butnot limited to replay attacks, using handshake requests. The pluralityof devices (e.g., transport layer security servers) can be disposed in anetwork between a plurality of client devices and a plurality ofapplication servers. The devices can maintain a registry containing arecord of each request received within a predetermined time period orbefore an expiration period. The devices can use the registry to detectand prevent attacks containing copied or replayed client data. Forexample, the devices can maintain and update the registry when a requestor subsequent request is received and processed. The devices can detectand prevent attacks by querying the registry to determine if a newrequest has been previously recorded in the registry prior to processingor accepting the new request. In some embodiments, the devices canmaintain the registry in a distributed manner across multiple devicessuch that each of the devices stores a share or portion of the registry.For example, in some embodiments, when a request arrives at a firstdevice, the first device can use a mapping function to determine whichdevice in the group of devices is or will be the responsible ownerdevice for recording the respective request. The first device can querythe responsible owner device to determine whether or not the request hasbeen seen before or previously recorded.

In some embodiments, the devices can execute the same mapping functionor mapping algorithm for determining an owner device amongst theplurality of devices. For example, each of the devices can execute thesame mapping function such that a request can arrive at or be receivedby any of the devices and each device can agree on which device is orwill be the owner device to record the respective request in a registrysubset maintained at the respective owner device. In some embodiments,the mapping function can include a consistent hashing technique over aset of nodes corresponding to the plurality of devices to identify thenext owner device for a request. The request can query or otherwisecheck to determine if a request has been previously recorded can beperformed using the core-to-core and node-to-node messaging between theplurality of devices.

In some embodiments, an incoming or subsequent request from a clientdevice can be routed to at least one device (e.g., TLS server) of aplurality of devices. The device receiving the request can execute amapping function to determine which device is the owner device for therequest and thus, responsible for recording the respective request. Inan embodiment, the mapping function can be configured to distribute therequests equally or substantially equally across the plurality ofdevices such that an equal share or substantially equal share ofrequests can be mapped and/or recorded at a registry subset at each ofthe devices. The receiving device can query the owner device todetermine if the request has been seen before or recorded previously.The owner device can examine the registry subset maintained at the ownerdevice and respond back to the receiving device indicating whether therequest is present in the respective registry subset or not. If therequest is not present in the respective registry subset, the ownerdevice can store or record the request in its registry subset. Thereceiving device can process or otherwise accept the request. Processingthe request can include establishing an application connection to atleast one application hosted by at least one application server. If therequest is present in the respective registry subset, the owner devicecan leave the request in the respective registry subset. The receivingdevice can reject the request.

Referring to FIG. 5, depicted is a block diagram of a system 500 fordetecting attacks using handshake requests. As depicted in FIG. 5, aplurality of client devices 502 a-502 n can interact with a plurality ofdevices 510 a-510 n to process requests for one or more applications 522a-522 n hosted by one or more application servers 520 a-520 n. Forexample, requests (e.g., handshake requests) from the client devices 502a-502 n can be received at the plurality of devices 510 a-510 n. Theplurality of devices 510 a-510 n can process the requests to detect andprevent replay attacks mounted against the client devices 502 a-502 nand/or the plurality of application servers 520 a-520 n.

The client devices 502 a-502 n can be an instance of any client devicedescribed herein. For example, the client devices 502 a-502 n can be thesame as or substantially similar to at least one of clients 102(1)-102 nof FIG. 1A or client 102 of FIG. 1B. The client devices 502 a-502 n caninclude a client application 504 executing thereon. The clientapplication 504 can include or provide a browser 506 for the clientdevices 502 a-502 n to interact with applications 522 a-522 n hosted bythe application servers 520 a-520 n. The client application 504 may bean instance of any client application or appliance described herein. Theclient application 504 can include or be provided a device (e.g.,intermediary device) or appliance. For example, the client application504 can be the same as, substantially similar to, or be provided byappliances 200(1)-200(n) of FIG. 1A and appliance 200 of FIGS. 1B-2. Theclient application 504 with the browser (e.g., embedded browser (CEB))can include a CEB. The browser 506 can include elements andfunctionalities of a web browser application or engine. The browser 506can locally render one or more of application 522 a-522 n as a componentor extension of the client application 504. For example, the browser 506can render a SaaS/Web application inside the CEB which can provide theCEB with full visibility and control of at least one application session530 a-530 n.

The devices 510 a-510 n can include intermediary devices that aredisposed within a network 104 intermediary to a plurality of clients 502a-502 n and a plurality of applications servers 520 a-520 n. The devices510 a-510 n can include servers, third party servers or transport layersecurity (TLS) servers. For example, the devices 510 a-510 n include TLSservers that provide or implement TLS protocol for communicationssecurity over network 104 (e.g., network 104 of FIG. 1A) between theplurality of clients 502 a-502 n and the plurality of applicationsservers 520 a-520 n. The devices 510 a-510 n can be the same as orsubstantially similar to servers 106(1)-106 n of FIGS. 1A and server 106of FIG. 1B. For example, the devices 510 a-510 n may include anapplication delivery system for delivering a computing environment,application, and/or data files to client devices 502 a-502 n.

In embodiments, the devices 510 a-510 n can establish an applicationconnection 532 a-532 n between at least one of the client devices 502a-502 n and at least one of the application servers 520 a-520 n. Thedevices 510 a-510 n can establish a TLS connection 530 a-530 n between aclient device 502 and at least one of the devices 510 a-510 n. Theconnections 530 a-530 n, 532 a-532 n (e.g., TLS connections, applicationconnections, application sessions) can include encrypted connections orsecure connections established between a client device and a deviceand/or application server. For example, the connections 530 a-530 n, 532a-532 n can include encrypted and/or secure sessions established betweenan application and a client device and/ or between a device and a clientdevice. The connections 530 a-530 n, 532 a-532 n can include encrypteddata or traffic transmitted between at least one application and aclient device and/or at least one device and a client device.

The devices 510 a-510 n can maintain a registry 512 or a portion of aregistry 512 a-512 n (referred to herein as a registry subset). Forexample, the devices 510 a-510 n can maintain a registry subset 512a-512 n containing a record of one or more requests 514 a-514 n. In someembodiments, the registry 512 or registry subsets 512 a-512 n cancontain a record of each request 514 received within a predeterminedtime period or within an expiration period. In some embodiments, theregistry 512 or registry subsets 512 a-512 n can maintain or keep arecord of each request 514 received for a predetermined time period orfor an expiration period. The devices 510 a-510 n can update theirrespective registry subset 512 maintained at the respective device 510when a request 514 is processed, accepted, and/or recorded. In someembodiments, the devices 510 a-510 n can communicate with each other toupdate a registry subset 512 maintained by at least one device 510 whena request 514 is processed, accepted, and/or recorded. Thus, before anyrequest 514 or subsequent request 514 is processed, the registry 512 ora registry subset 512 can be queried to determine if the request 514 hasbeen previously recorded in the registry 512 or a registry subset 512.

The registry subsets 512 a-512 n can correspond to a distributed orpartitioned registry 512 that has been partitioned across multipledevices 510 a-501 n. For example, each of the devices 510 a-510 n canmaintain at least one registry subset 512 of a plurality of registrysubsets 512 a-512 n that in combination form a single registry 512 forrecording requests 514 a-514 n. In some embodiments, each of theregistry subsets 512 a-512 n can be the same size. In some embodiments,one or more registry subsets 512 a-512 n can be a different size fromone or more other registry subsets 512 a-512 n maintained at theplurality of devices 510 a-510 n. In some embodiments, the devices 510a-510 n can maintain a registry subset 512 containing a record of eachrequest 514 received at the respective device 510. In some embodiments,the devices 510 a-510 n can maintain a registry subset 514 containing arecord of each request 514 that the respective device 510 owns. Theregistry 514 or registry subsets 514 a-514 n can include a fixed-sizedata structure (e.g., a counting Bloom filter) or a dynamically sizeddata structure. In some embodiments, the memory requirements or size ofthe respective registry of the devices 510 a-510 n and/or each of theregistries 512 a-512 n can fixed and selected such that they do not needto increase even in response to high request rates, which makes thesystems and methods described herein resilient against particularattacks, such as but not limited to, distributed denial-of-service(DDoS) attacks.

The registries 512 a-512 n can include a plurality of requests 514 a-514n. The requests 514 a-514 n can include multiple requests for differentdevices or applications. The requests 514 a-514 n can correspond tohandshake requests transmitted between the client devices 502 a-502 nand the plurality of devices 510 a-510 n. The requests 514 a-514 n caninclude a TLS connection request and an application request. Therequests 514 a-514 n can include a first request to establish a TLSconnection with at least one device 510 of the plurality of devices 510a-510 n. The requests 514 a-514 n can include a second request or firstapplication request to establish a connection to at least oneapplication server 520 of the plurality of application servers 520 a-520n. The requests 514 a-514 n can identify at least one device 510 of theplurality of devices 510 a-501n to establish a TLS connection 530 withthe client device 502. In some embodiments, the requests 514 a-514 n canidentify the device that the request is transmitted to or the devicethat receives the request. The request can identify at least oneapplication server of the plurality of application servers to establishan application connection with the client device. In some embodiments,the request can identify at least one application hosted or provided byat least one application server of the plurality of application servers.

The application servers 520 a-520 n can be the same as or substantiallysimilar to servers 106(1)-106 n of FIGS. 1A and server 106 of FIG. 1B.For example, the 520 a-520 n may include an application delivery systemfor delivering a computing environment, application 522 a-522 n, and/ordata files to client devices 502 a-502 n. The servers 520 a-520 n caninclude remote severs or third party servers that host one or moreapplications 522 a-522 n.

The applications 522 a-522 n may include network applications 1130a-1130 n that are served from and/or hosted on one or more servers, hereapplication servers 520 a-520 n. The applications 522 a-522 n caninclude an application hosted on at least one server 520 accessed by atleast one client device 502 via a network 104. The applications 522a-522 n can include, but not limited to, a web application, a desktopapplication, remote-hosted application, a virtual application, asoftware as a service (SaaS) application, a mobile application, an HDXapplication, a local application, a native application (e.g., native tothe client device), and/or a device couple with one or more of theclient devices 502 a-502 n.

Network 104 may be a public network, such as a wide area network (WAN)or the Internet. In some embodiments, network 104 may be a privatenetwork such as a local area network (LAN) or a company Intranet.Network 104 may employ one or more types of physical networks and/ornetwork topologies, such as wired and/or wireless networks, and mayemploy one or more communication transport protocols, such astransmission control protocol (TCP), internet protocol (IP), userdatagram protocol (UDP) or other similar protocols.

The connections 530 a-530 n, 532 a-532 n can include any type or form ofa session as described herein. For example, connections 530 a-530 n, 532a-532 n may include, but not limited to, an application session, anexecution session, a desktop session, a hosted desktop session, aterminal services session, a browser session, a remote desktop session,a URL session and a remote application session. The TLS connections 530a-530 n may include encrypted and/or secure sessions established betweenat least one device 510 and at least one client 502. The applicationconnections 532 a-532 n may include encrypted and/or secure sessionsestablished between an application 522 a-522 n and at least one clientdevice 502.

Each of the above-mentioned elements or entities is implemented inhardware, or a combination of hardware and software, in one or moreembodiments. Each component of the client application 504 may beimplemented using hardware or a combination of hardware or softwaredetailed above in connection with FIGS. 1A-4. For instance, each ofthese elements or entities can include any application, program,library, script, task, service, process or any type and form ofexecutable instructions executing on hardware of a client device (e.g.,the client device 502). The hardware includes circuitry such as one ormore processors in one or more embodiments.

Referring now to FIGS. 6A-6B, depicted is a flow diagram of oneembodiment of a method 600 for detecting attacks using a handshakerequest comprising an application request. The functionalities of themethod 600 may be implemented using, or performed by, the componentsdetailed herein in connection with FIGS. 1-5. In brief overview, aplurality of handshake requests can be received (605). Each of theplurality of handshake requests can be recorded (610). A subsequenthandshake request can be received (615). A device to handle thesubsequent handshake request can be identified (620). The identifieddevice can be queried (625). A determination can be made if thesubsequent handshake request is in a registry (630). If the request isnot found in the registry, the request can be recorded in the registry(635). The subsequent handshake request can be accepted and processed(640). If the request is found in the registry, the request can be leftin the registry (645). The subsequent handshake request can be rejected(650).

Referring now to operation (605), and in some embodiments, a pluralityof handshake requests can be received. For example, method 600 caninclude receiving, by a plurality of devices 510 a-510 n, a plurality ofhandshake requests to establish a respective transport layer security(TLS) connection 530 that include a respective application request. Theplurality of handshake requests can include a first application request.In some embodiments, the handshake requests can include an applicationrequest, a TLS connection request, or both an application request and aTLS connection request. A client device 502 can transmit a handshakerequest to at least one of a plurality of devices 510 a-510 n. Aplurality of client devices 502 a-502 n can transmit a pluralityhandshake requests to a plurality of devices 510 a-510 n. In someembodiments, multiple client devices 502 a-502 n can transmit at leastone handshake request to at least one device 510 of a plurality ofdevices. Each of the client devices 502 a-502 n can transmit one or morehandshake requests to one or more devices 510 a-510 n of a plurality ofdevices 510 a-510 n.

The plurality of devices 510 a-510 n can be intermediary to a pluralityof clients 502 a-502 n and a plurality of servers 520 a-520 n. Forexample, the devices 510 a-510 n can include intermediary devicesdisposed between one or more clients 502 a-502 n and one or moreapplication servers 520 a-520 n. The devices 510 a-510 n can includeservers, third party servers or TLS servers. For example, the devices510 a-510 n can implement TLS protocol to provide communicationssecurity over a network 104. In some embodiments, the devices 510 a-510n can implement TLS protocol to provide communications security over anetwork 104. The devices 510 a-510 n can establish a connection (e.g.,application connection 532) between a client device 502 and anapplication server 520. The devices 510 a-510 n can establish a TLSconnection 530 between a client device 502 and at least one of thedevices 510 a-510 n.

The request 514 can include multiple requests for different devices orapplications. For example, the request 514 can include a TLS connectionrequest and an application request. The request 514 can include a firstrequest to establish a TLS connection 530 with at least one device 510of the plurality of devices 510 a-510 n. The request 514 can include asecond request or first application request to establish a connection toat least one application server 520. The request 514 can identify atleast one device 510 of the plurality of devices 510 a-510 n toestablish a TLS connection 530 with the client device 502. In someembodiments, the request 514 can identify the device 510 that therequest 514 is transmitted to or the device 510 that receives therequest 514. The request 514 can identify at least one applicationserver 520 of the plurality of application servers 520 a-520 n toestablish an application connection 532 with the client device 502. Insome embodiments, the request 514 can identify at least one application522 hosted or provided by at least one application server 520 a-520 n ofthe plurality of application servers 520 a-520 n.

In some embodiments, a plurality of TLS connections 530 a-530 n can beestablished by the plurality of devices 510 a-510 n responsive to theplurality of handshakes requests 514 a-514 n. For example, a TLSconnection 530 can be established responsive to each handshake request514. The TLS connection 530 can be established between the client device502 and at least one of the devices 510 of the plurality of devices 510a-510 n for at least one handshake request 514 or for multiple handshakerequests 514. In some embodiments, the client device 502 can establishmultiple TLS connections 530 a-530 n with multiple different devices 510a-510 n of the plurality of devices 510 a-510 n. The TLS connection 530can be established between the client device 502 and the device 510receiving the handshake request 514. In some embodiments, the TLSconnection 530 can be established between the client device 502 and anowner device 510 that is identified to own or handle the respectivehandshake request 514. For example, the receiving device 510 canidentify at least one other device 510 of the plurality of devices 510a-510 n that is the owner device 510 or the device 510 to handle therespective handshake request 514 and can forward the respectivehandshake request 514 to the identified owner device 510. The identifiedowner device 510 can establish a TLS connection 530 to the client device502 that transmitted the respective handshake request 514.

Referring now to operation (610), and in some embodiments, each of theplurality of handshake requests 514 can be recorded. For example, method600 can include recording, by the plurality of devices 510 a-510 n, eachof the respective application requests 514 to a registry 512 ofapplication requests 514. The devices 510 a-510 n can maintain aregistry 512 (e.g., request registry) for recording received requests514 a-514 n. The devices 510 a-510 n can maintain a portion or subset ofa registry 512 for recording received requests 514 a-514 n. For example,each of the devices 510 a-510 n of the plurality of devices 510 a-510 ncan maintain a portion or subset of a main registry 512 for recordingreceived requests 514 a-514 n. The subsets of the registry 512 a-512 nmaintained at one or more of the devices 510 a-510 n can combine to formthe main registry 512 having each of the recorded requests 514 a-514 npreviously received by the plurality of devices 510 a-510 n. Thus, themain registry 512 can be spread out or partitioned into multiple subsets512 a-512 n maintained at one or more of the devices 510 a-510 n of theplurality of devices 510 a-510 n. In some embodiments, the requestregistry 512 can be maintained at a remote or third party server that isseparate from the plurality of devices 510 a-510 n. The devices 510a-510 n can communicate with the request registry 512 to determine if arequest 514 has been previously received and/or recorded. The devices510 a-510 n can communicate with the request registry 512 to update oradd a new entry responsive to receiving a new request 514 that has notbeen previously received and/or recorded.

In some embodiments, the devices 510 a-510 n can establish a subset of aregistry 512. For example, a registry subset 512 can be established ateach of the devices 510 a-510 n. The devices 510 a-510 n can establish aregistry subset 512 responsive to receiving a first or initial request514. In some embodiments, a device 510 can establish a registry subset512 responsive to receiving a forwarded or transmitted request 514 fromat least one other device 510 of the plurality of devices 510 a-510 n.The registry 512 or registry subset 512 can be generated as a databasehaving a plurality of entries for recording received requests. Forexample, the registry 512 or registry subset 512 can be generated as afixed-size data structure (e.g., counting Bloom filter) or a dynamicdata structure.

The devices 510 a-510 n can forward or transmit a received request 514to at least one different device 510 of the plurality of devices 510a-510 n to record and store the received request 514. For example, thedevices 510 a-510 n can spread out the requests 514 received from one ormore clients 502 a-502 n amongst the plurality of devices 510 a-510 n tobalance a plurality of requests 514 amongst the plurality of devices 510a-510 n. The devices 510 a-510 n can spread out the requests 514 a-514 nreceived from one or more clients 502 a-502 n amongst the plurality ofdevices 510 a-510 n such that each device 510 handles, processes and/orrecords a similar number of requests 514 a-514 n. In some embodiments,an incoming or subsequent request 514 from a client device 502 can berouted to at least one device 510 of a plurality of devices 510 a-510 n.The device 510 receiving the request 514 can execute a mapping functionto determine which device 510 is the owner device 510 for the request514 and thus, responsible for recording the respective request 514. Inan embodiment, the mapping function can be configured to distribute therequests 514 a-514 n equally or substantially equally across theplurality of devices 510 a-510 n such that an equal share orsubstantially equal share of requests 514 a-514 n can be mapped and/orrecorded at a registry subset 512 at each of the devices 510 a-510 n.The mapping function can include a consistent hashing technique appliedover a set of nodes corresponding to the plurality of devices 510 a-510n to identify the next owner device 510 for a request 514. The receivedrequests 514 a-514 n can be stored in registry subsets 512 a-512 n atthe different devices 510 a-510 n based in part on a hashing techniqueor hashing algorithm. Each of the devices 510 a-510 n of the pluralityof devices 510 a-510 n can be assigned a unique hash value using a hashfunction. Responsive to receiving a request 514, each of the devices 510a-510 n can use the hash values to identify the appropriate owner device510 to transit or forward the received request 514 to handle and/orrecord in the respective registry subset 512.

The registry subsets 512 a-512 n can include an entry for each receivedrequest 514 a-514 n. For example, the devices 510 a-510 n can recordand/or store each received request in at least one entry of thecorresponding registry subset maintained at the respective device 510.The devices 510 a-510 n can record and/or store each request 514 thatthe respective device 510 owns in at least one entry of thecorresponding registry subset 512 maintained at the respective device510. The entry for each request 514 can include a variety of differentdata corresponding to the request 514. For example, the entry for eachrequest 514 can include, but not limited to, TLS connection requestdata, application request data (e.g., requested application, requestedapplication server), an identifier and/or data corresponding to theclient device that transmitted the request, time stamp data, encryptiondata, and/or hash codes. The devices 510 a-510 n can forward or transmita received request 514 to a request registry 512 maintained at a remoteserver. The remote server can record and/or store each request 514received at the plurality of devices 510 a-510 n in at least one entryof the corresponding registry 512 maintained at the remote server.

Referring now to operation (615), and in some embodiments, a subsequenthandshake request 514 can be received. For example, method 600 caninclude receiving, by a first device 510 of the plurality of devices510a-510 n, a subsequent handshake request 514 to establish a subsequentTLS connection 530 that includes the first application request. A firstdevice 510 of the plurality of devices 510 a-510 n can receive ahandshake request 514. The handshake request 514 can be subsequent to aplurality of previously received handshake requests 514 a-514 n. In someembodiments, the handshake request 514 can be subsequent to a pluralityof previously received handshake requests 514 a-514 n that have beenrecorded and/or stored at a registry 512 (e.g., request registry) or atone or more registry subsets 512 a-512 n maintained at one or moredevices 510 a-510 n of the plurality of devices 510 a-510 n. Forexample, each of the plurality of devices 510 a-510 n can store and/ormaintain a portion of a registry 512. In an embodiment, each of theplurality of devices 510 a-510 n can store and/or maintain a registrysubset 512 that is a portion of the registry 512.

The subsequent handshake request 514 can include a TLS connectionrequest and an application request. For example, the subsequenthandshake request can include a request to establish a TLS connection530 with at least one of the devices 510 a-510 n of the plurality ofdevices 510 a-510 n. The subsequent handshake request 514 can include arequest for an application server 520 or an application 522 hosted orprovided by at least one application server 520 of a plurality ofapplication servers 520 a-520 n. In an embodiment, the subsequenthandshake request 514 can include a first application request thatidentifies an application server 520, an application 522 hosted orprovided by at least one application server 520 of a plurality ofapplication servers 520 a-520 n, and/or a resource hosted or provided byat least one application server 520 of a plurality of applicationservers 520 a-520 n.

Referring now to operation (620), and in some embodiments, a device 510to handle the subsequent handshake request 514 can be identified. Forexample, the method can include selecting, using a mapping function, foreach of the plurality of handshake requests 514 a-514 n a device 510from the plurality of devices 510 a-510 n for storing the respectiveapplication request 514 to the registry 512. In some embodiments, thedevice 510 receiving the subsequent handshake request 514 can perform amapping function or execute a mapping algorithm to identify theappropriate owner device 510 of the subsequent handshake request 514amongst the plurality of devices 510 a-510 n. The appropriate owner orowner device 510 as used herein can refer to the device 510 that recordsand/or stores a handshake request 514. Thus, the device 510 receivingthe subsequent handshake request 514 can identify the owner device 510for the subsequent handshake request 514 using the mapping function.

In some embodiments, the first device 510 can determine which of theplurality of devices 510 a-510 n is to store the first applicationrequest 514 in the registry 512 or in a registry subset 512. Forexample, the first device 510 can determine which of the plurality ofdevices 510 a-510 n is the owner device 510 for the subsequent handshakerequest 514 and which of the plurality of devices 510 a-510 n is theowner device 510 to store the first application request 514 in aregistry subset 512 maintained at the owner device 510. In someembodiments, the device 510 receiving the subsequent handshake request514 may be the owner or the device 510 to record the subsequenthandshake request 514. For example, the device 510 can perform themapping function and determine that the device 510 that initiallyreceived the subsequent handshake request 514 is the owner device 510for the subsequent handshake request 514.

In some embodiments, the device 510 receiving the subsequent handshakerequest 514 may not be the owner or the device 510 to record thesubsequent handshake request 514. For example, the device 510 canperform the mapping function and determine that at least one otherdevice 510 that is different from the device 510 that initially receivedthe subsequent handshake request 514 is the owner device 510 for thesubsequent handshake request 514. For example, a first device 510 canperform the mapping function and determine that a second device 510 ofthe plurality of devices 510 a-510 n that is different from the firstdevice 510 is the owner device 510 for the subsequent handshake request514.

Referring now to operation (625), and in some embodiments, theidentified device 510 can be queried. In some embodiments, the firstdevice 510 of the plurality of devices 510 a-510 n can query theidentified owner device 510. The first device 510 (e.g., device thatinitially received the subsequent handshake request) can performcore-to-core and node-to-node messaging to communicate with theidentified owner device 510. The query can include a message,transmission, or request from the first device 510 to the identifiedowner device 510 asking the owner device 510 if the owner device 510 haspreviously recorded and/or stored the subsequent handshake request 514.The query can include a message, transmission, or request from the firstdevice 510 to the identified owner device 510 asking the owner device510 if the owner device 510 has previously recorded and/or stored ahandshake request 514 having similar codes, encryptions and/or data asthe subsequent handshake request 514.

Referring now to operation (630), and in some embodiments, adetermination can be made if the subsequent handshake request 514 is ina registry 512. For example, method 600 can include querying, by thefirst device 510 prior to accepting the first application request 510,the registry 512 for the first application request 514. The identifiedowner device 510 can determine if the subsequent handshake request 514is in a registry subset 512 maintained at the identified owner device510. For example, the identified owner device 510 can query or searchthe registry subset 512 it maintains for data corresponding to thesubsequent handshake request 514. The data can include, but not limitedto, codes, encryption codes, hash codes, client device identifies, TLSconnection data, and/or application request data. In some embodiments,each received handshake request 514 can be given or otherwise include aunique identifier. The identified owner device 510 can query or searchthe registry subset 512 for the unique identifier corresponding to thesubsequent handshake request 514.

For example, the identified owner device 510 can query or search aregistry 512 maintained at a remote server, separate from the identifiedowner for data corresponding to the subsequent handshake request 514. Insome embodiments, the identified owner device 510 can transmit a request514 to the remote server to search for data corresponding to thesubsequent handshake request 514. The remote server can perform a queryor search and generate a response indicating whether or not thesubsequent handshake request 514 has been previously recorded and/orstored. The identified owner device 510 can generate a response to thefirst device 510 indicating whether or not the subsequent handshakerequest 514 has been previously recorded and/or stored. In someembodiments, the response can indicate that the subsequent handshakerequest 514 and/or data corresponding to the subsequent handshakerequest 514 has been previously recorded and/or stored. For example, theresponse can indicate that the subsequent handshake request 514 or datacorresponding to the subsequent handshake request 514 has beenpreviously recorded and/or stored at the registry subset 512 of theidentified owner device 510 or has been previously recorded and/orstored at the registry of a remote server. In some embodiments, theresponse can indicate that the subsequent handshake request 514 and/ordata corresponding to the subsequent handshake request 514 has not beenpreviously recorded and/or stored. For example, the response canindicate that no entry in the registry subset 512 of the identifiedowner device 510 or a registry of a remote server includes thesubsequent handshake request 514 and/or data corresponding to thesubsequent handshake request 514. The identified owner device 510 cantransmit the response to the first device 510 or the device 510 of theplurality of devices 510 a-510 n that received (e.g., initiallyreceived) the subsequent handshake request 514.

Referring now to operation (635), and in some embodiments, if therequest 514 is not found in the registry 512, the request 514 can berecorded in the registry 512. The first device 510 can receive aresponse or a message (e.g., core-to-core message, node-to-node message)from the identified owner device 510 indicating that the subsequenthandshake request 514, application request 514 and/or data correspondingto the subsequent handshake request 514 is not included in an entry ofthe registry subset 512 maintained at the identified owner device 510.The first device 510 can forward the subsequent handshake request 514,the application request 514 and/or data corresponding to the subsequenthandshake request 514 to the identified owner device 510. The firstdevice 510 can transmit a message instructing or otherwise indicating tothe identified owner device 510 to record and/or store the subsequenthandshake request and/or data corresponding to the handshake request.The identified owner device 510 can record and/or store the subsequenthandshake request 514, the application request 514, and/or datacorresponding to the subsequent handshake request 514 in at least oneentry of the registry subset 512 maintained at or by the identifiedowner device 510. In some embodiments, the identified owner device 510can generate a new entry in the registry subset 512 to record thesubsequent handshake request 514, the application request 514 and/ordata corresponding to the subsequent handshake request 514. In someembodiments, the identified owner device 510 can update an existingentry in the registry subset 512 to record the subsequent handshakerequest 514, the application request 514, and/or data corresponding tothe subsequent handshake request 514. In some embodiments, theidentified owner device 510 can remove an existing entry in the registrysubset 512 and add a new entry in the registry subset 512 to record thesubsequent handshake request 514, the application request 514, and/ordata corresponding to the subsequent handshake request 514.

In some embodiments, the recordation of the subsequent handshake request514, the application request 514 (e.g., first application request),and/or data corresponding to the subsequent handshake request 514 can bemaintained in the registry 512 or in a registry subset 512 for or withinan expiration period. For example, the subsequent handshake request 514,the application request 514 (e.g., first application request), and/ordata corresponding to the subsequent handshake request 514 can beassigned an expiration period value. In some embodiments, each device510 of the plurality of devices 510 a-510 n can assign the expirationperiod value to recorded handshake requests 514, application requests514, and/or data corresponding to handshake requests 514. For example,the owner device 510 can record the handshake request 514 and/or anapplication request 514 corresponding to the handshake request 514. Theowner device 510 can keep or maintain the record of the handshakerequest 514 and/or an application request 514 in the registry subset 512maintained at the owner device 510 for a predetermined time period orexpiration period.

In some embodiments, to maintain a fixed sized registry or registrysubset, the devices 510 can remove requests 514 a-514 n or entries thathave been maintained in the respective registry 512 or registry subsets512 a-512 n longer than the expiration period from the respectiveregistry 512 or registry subsets 512 a-512 n. The clean-up of theregistry 512 or registry subsets 512 a-512 n can be done periodically.For example, the clean-up of the registry 512 or registry subsets 512a-512 n can be at set time periods or set time intervals. The removal ofrequests 514 a-514 n or entries can be performed to keep the registry512 or registry subsets 512 a-512 n from filling up. For example,periodically, each device 510 can remove requests 514 a-514 n or entriesfrom its respective registry 512 that are older than the expirationperiod. The expiration period can be configurable. In some embodiments,a replayed request 514 or request 514 that has been previously recordedand that arrives after the expiration period has elapsed for a copy thatwas stored in the registry 514 can be detected using the TLS protocol.The predetermined time period or expiration period can be a variety ofdifferent values. For example, the predetermined time period orexpiration period can correspond to a time period selected for aparticular code (e.g., encryption code, hash code) used for a handshakerequest 514 or application request 514. In some embodiments, thehandshake request 514 or application request 514 can be assigned apredetermined time period or expiration period. The predetermined timeperiod or expiration period can be established by an administrator.

Referring now to operation (640), and in some embodiments, thesubsequent handshake request 514 can be accepted and processed. Thefirst device 510 can generate a response to the client device 502indicating that the subsequent handshake request 514 is accepted andprocessed. The first device 510 can establish an application connection532 from the client device 502 to at least one application server 520 ofthe plurality of application servers 520 a-520 n. In some embodiments,the client device 502 can access at least one application 522 hosted orprovided by at least one application server 520 of the plurality ofapplication servers 520 a-520 n through the application connection 532.

Referring now to operation (645), and in some embodiments, if therequest 514 is found in the registry 512, the request 514 can be left inthe registry 512. For example, if the subsequent handshake request 514,the application request 514 and/or data corresponding to the subsequenthandshake request 514 is already recorded and/or stored in at least oneregistry subset 512 or registry 512 this can indicate that thesubsequent handshake request is a fraudulent request. The first device510 can receive a response or a message (e.g., core-to-core message,node-to-node message) from the identified owner device 510 indicatingthat the subsequent handshake request 514, the application request 514and/or data corresponding to the subsequent handshake request 514 isincluded at least one entry of the registry subset 512 maintained at theidentified owner device 510. The first device 510 can generate a messageto the identified owner device 510 instructing or otherwise indicatingto the identified owner device 510 not to record or store the subsequenthandshake request 514, the application request 514 and/or datacorresponding to the subsequent handshake request 514. The identifiedowner device 510 can delete or remove the subsequent handshake request514, the application request 514 and/or data corresponding to thesubsequent handshake request 514.

Referring now to operation (650), and in some embodiments, thesubsequent handshake request 514 can be rejected. The first device 510can determine to reject the first application request 514 responsive toidentifying from the query that the first application request 514 hasbeen recorded in the registry 512. For example, the first device 510 canreject the application request 514 and/or handshake request 514 as areplay attack. The subsequent handshake request 514, the applicationrequest 514 and/or data corresponding to the subsequent handshakerequest 514 being stored in at least one registry 512 or registry subset512 can indicate that this subsequent handshake request 514 and/orapplication request 514 may correspond to a replay attack. Thus, thefirst device 510 can generate a response to the client device 510indicating that the subsequent handshake request 514 and/or theapplication request 514 is denied or otherwise rejected.

In some embodiments, the first device 510 can drop or reject part of thesubsequent handshake request 514 and accept part of the subsequenthandshake request 514. For example, the first device 510 can drop orreject the application request 514 responsive to the determination butaccept a TLS connection request included in the subsequent handshakerequest 514. The first device 510 can reject the request to connect toan application server 520 or an application 522 hosted by an applicationserver 520 responsive to determining that the subsequent handshakerequest 514 has been previously recorded and accept the TLS connectionrequest included in the subsequent handshake request 514. In someembodiments, the first device 510 can drop or reject the applicationrequest 514 responsive to the determination and reject the TLSconnection request included in the subsequent handshake request 514.

In some embodiments, for each handshake request 514 or each subsequenthandshake request 514, at least one device 510 of the plurality ofdevices 510 a-510 n can query, prior to accepting the handshake request514 or an application request 514 included with the handshake request514, an owner device 510, a registry 512 or registry subset 512 todetermine if the handshake request 514 or an application request 514included with the handshake request 514 has been previously recordedand/or stored in a registry 512 or registry subset 512. For example, asecond device 510 of the plurality of devices 510 a-510 n can receive asecond subsequent handshake request 514 to establish a second subsequentTLS connection that includes a second application request 514. Thesecond device 510 can query, prior to accepting the second applicationrequest 514, the registry 512 or a registry subset 512 for the secondapplication request 514. For example, the second device 510 can identifyan owner device 510 of the plurality of devices 510 a-510 n for thesecond subsequent handshake request 514 and/or the second applicationrequest 514. The second device 510 can query the owner device 510 todetermine if the second subsequent handshake request 514 or secondapplication request 514 has been previously recorded. The owner device510 can generate a response to the second device 514 indicating whetheror not the second subsequent handshake request 514 and/or the secondapplication request 514 has been previously recorded. In someembodiments, the second device 510 can be the owner device 510 of thesecond subsequent handshake request 514. The second device 510 can queryor search the registry subset 512 maintained at the second device 510 towhether or not the second subsequent handshake request 514 and/or thesecond application request 514 has been previously recorded.

In some embodiments, for each handshake request 514 or each subsequenthandshake request 514, at least one device 510 of the plurality ofdevices 510 a-510 n can determine to accept an application request 514responsive to identifying from a query that the respective applicationrequest 514 or handshake request 514 has not been recorded in theregistry 512, and can accept a TLS connection request included in therespective subsequent handshake request 514. For example, the seconddevice 510 of the plurality of devices 510 a-510 n can accept a secondapplication request 514 responsive to identifying from the query thatthe second application request 514 and/or second subsequent handshakerequest 514 has not been recorded in a registry 512 or registry subset512. The second device 510 can accept a TLS connection request includedin the second subsequent handshake request 514. For example, the seconddevice 510 can establish a TLS connection between the client device 502that transmitted the second application request 514 and/or secondsubsequent handshake request 514 and the second device 510.

In some embodiments, for each handshake request 514 or each subsequenthandshake request 514, at least one device 510 of the plurality ofdevices 510 a-510 n can determine to reject an application request 514responsive to identifying from a query that the respective applicationrequest 514 or handshake request 514 has been recorded in the registry512 or registry subset 512, and can reject a TLS connection requestincluded in the second subsequent handshake request 514. For example,the second device 510 of the plurality of devices 510 a-510 n can rejecta second application request 514 responsive to identifying from thequery that the second application request 514 and/or second subsequenthandshake request 514 has been recorded in a registry 512 or registrysubset 512. The second device 510 can reject a TLS connection requestincluded in the second subsequent handshake request 514.

Various elements, which are described herein in the context of one ormore embodiments, may be provided separately or in any suitablesubcombination. For example, the processes described herein may beimplemented in hardware, software, or a combination thereof. Further,the processes described herein are not limited to the specificembodiments described. For example, the processes described herein arenot limited to the specific processing order described herein and,rather, process blocks may be re-ordered, combined, removed, orperformed in parallel or in serial, as necessary, to achieve the resultsset forth herein.

It will be further understood that various changes in the details,materials, and arrangements of the parts that have been described andillustrated herein may be made by those skilled in the art withoutdeparting from the scope of the following claims.

What is claimed is:
 1. A method for detecting attacks using a handshakerequest comprising an application request, the method comprising: (a)receiving, by a plurality of devices, a plurality of handshake requeststo establish a respective transport layer security (TLS) connection thatinclude a respective application request, one of the plurality ofhandshake requests comprising a first application request; (b)recording, by the plurality of devices, each of the respectiveapplication requests to a registry of application requests; (c)receiving, by a first device of the plurality of devices, a subsequenthandshake request to establish a subsequent TLS connection that includesthe first application request; (d) querying, by the first device priorto accepting the first application request, the registry for the firstapplication request; and (e) determining, by the first device, to rejectthe first application request responsive to identifying from the querythat the first application request has been recorded in the registry. 2.The method of claim 1, further comprising dropping the applicationrequest by the first device responsive to the determination butaccepting a TLS connection request included in the subsequent handshakerequest.
 3. The method of claim 1, wherein (a) further comprisesestablishing the respective TLS connection of each of the plurality ofhandshake requests by one or more of the plurality of devices.
 4. Themethod of claim 1, wherein the plurality of devices are intermediary toa plurality of clients and a plurality of servers.
 5. The method ofclaim 1, further comprising selecting, using a mapping function, foreach of the plurality of handshake requests a device from the pluralityof devices for storing the respective application request to theregistry.
 6. The method of claim 1, wherein each of the plurality ofdevices stores a portion of the registry.
 7. The method of claim 1,wherein (d) further comprises determining, by the first device, which ofthe plurality of devices is to store the first application request inthe registry.
 8. The method of claim 1, wherein (e) further comprisesmaintaining the recordation of the first application request in theregistry until an expiration period.
 9. The method of claim 1, furthercomprising receiving, by a second device of the plurality of devices, asecond subsequent handshake request to establish a second subsequent TLSconnection that includes a second application request and querying, bythe second device prior to accepting the second application request, theregistry for the second application request.
 10. The method of claim 9,further comprising determining, by the second device, to accept thesecond application request responsive to identifying from the query thatthe second application request has not been recorded in the registry,and accepting a TLS connection request included in the second subsequenthandshake request.
 11. A system for detecting attacks using a handshakerequest comprising an application request, the system comprising: aplurality of devices configured to receive a plurality of handshakerequests to establish a respective transport layer security (TLS)connection that includes a respective application request, one of theplurality of handshake requests comprising a first application request;wherein one or more of the plurality of devices are configured to recordeach of the respective application requests to a registry of applicationrequests; wherein a first device of the plurality of devices isconfigured to receive a subsequent handshake request to establish asubsequent TLS connection that includes the first application request;query prior to accepting the first application request, the registry forthe first application request; and determine to reject the firstapplication request responsive to identifying from the query that thefirst application request has been recorded in the registry.
 12. Thesystem of claim 11, further comprising dropping the first applicationrequest by the first device responsive to the determination butaccepting a TLS connection request included in the subsequent handshakerequest.
 13. The system of claim 11, wherein the respective TLSconnection of each of the plurality of handshakes are established by oneor more of the plurality of devices.
 14. The system of claim 11, whereinthe plurality of devices are intermediary to a plurality of clients anda plurality of servers.
 15. The system of claim 11, wherein a devicefrom the plurality of devices is selected, using a mapping function, forstoring to the registry the respective application request for each ofthe plurality of handshake requests.
 16. The system of claim 11, whereineach of the plurality of devices stores a portion of the registry. 17.The system of claim 11, wherein the first device is further configuredto determine which of the plurality of devices is to store the firstapplication request in the registry.
 18. The system of claim 11, whereinthe recordation of the first application request is maintained in theregistry until an expiration period.
 19. The system of claim 11, whereina second device of the plurality of devices is configured to receive asecond handshake request to establish a second subsequent TLS connectionthat includes a second application request and query, prior to acceptingthe second application request, the registry for the second applicationrequest.
 20. The system of claim 19, wherein the second device isfurther configured to accept the second application request responsiveto identifying from the query that the second application request hasnot been recorded in the registry, and accept a TLS connection requestincluded in the second subsequent handshake request.